Added a validation on the single story route

Checks if the story is private and if the user of the request is the same user of the story.
Sojstyles · Sep 1, 2020 · fd63c8e · fd63c8e
1 parent efe8ee5
commit fd63c8e
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/routes/stories.js b/routes/stories.js
@@ -51,9 +51,13 @@ router.get('/:id', ensureAuth, async (req, res) => {
  return res.render('error/404')
  }
 
- res.render('stories/show', {
- story,
- })
+ if (story.user._id != req.user.id && story.status == 'private') {
+ res.render('error/404')
+ } else {
+ res.render('stories/show', {
+ story,
+ })
+ }
  } catch (err) {
  console.error(err)
  res.render('error/404')